Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Covert channel application using libnet and libpcap

From: Rohit Sharma <rohits79 () yahoo com>
Date: 9 Oct 2002 05:53:33 -0000


Am sorry for cross posting but such a "covert channel"
can be easily build by using libnet and libpcap libraries.


Fun under the nose:::

This possibly explains how a spyware module can
communicate with the other host and may send some
confidential data. Neither am I sure if it has been
implemented before but something like this is easy to
implement in my opinion.

Imagine a Watchdog client(WDC) probing some XYZ host
after every 30 seconds for some service etc... Attach
to the WDClient is nothing but a spyware module, now
since WDClient generally runs in superuser mode as it
has to alert or log etc it is easy for WDC... to make
use of all those restircted resources. After it has the
 confidential text it can encrypt it in some number
form and send it in the TCP Header and not the payload.
Yes TCP header as the acknowledgement number. It need
not modify the payload or the actual data content. If
the Text is too big simply fragment it and put it
across as the different tcp acks and number the
sequence number accordingly to reassemble the text
properly. Actually this sounds funny or not possible
but for any watchdog that may work over tcp it can be
very simply implemented.

Here in the libnet generated packet I am simply sending
the text "Rohit" TCP header. Look at the
acknowledgement field each char is it's actual position
in the alphabetic list. R-18 o-15 etc...
Similary in the next packet I can send something Like
"Sharma" but with the Sequence nos 11112

from the test example from the libnet project
 /*
     *  Build the TCP header.
     */
    libnet_build_tcp(src_prt,               /* Source
TCP port */
            dst_prt,                        /*
Destination TCP port */
            11111,                          /* Sequence
number */
            1815080920,                          /*
Acknowledgement number */
            TH_SYN,                         /* Control
flags */
            1024,                           /* Window
size */
            0,                              /* Urgent
pointer */
            NULL,                           /* Pointer
to payload (none) */
            0,
            buf + LIBNET_IP_H);             /* Packet
header memory */



It is very much possible that the administrator will
never look at the ack field for any packet that is
generating after every 30 seconds or so. The other end
will simply read such a packet ... to differentiate
among the other normal packets the sequence nos
starting with all 1's or 2's etc can differentiate well.
Previous By Date Next
Previous By Thread Next

Current thread: